Home > Articles > Cisco Certification > CCNP > CCNP Security Secure 642-637 Quick Reference: Cisco Layer 2 Security

CCNP Security Secure 642-637 Quick Reference: Cisco Layer 2 Security

Chapter Description

The availability of dedicated Layer 2 attack tools makes it necessary to defend against possible attack by implementing the features that Cisco offers within IOS Software. This chapter describes the main types of Layer 2 attacks and how to defend against them.

VLAN Hopping

Switches implement virtual LANs (VLAN). Users connect to access ports that are members of a VLAN as specified in the switch configuration. VLAN hopping is where a user can gain access to a VLAN not assigned to the switch port to which the user connects.

A user can achieve this in two ways against the default configuration of a Cisco switch port. The first and most commonly used VLAN hopping method is where the attacker makes his workstation act as a trunk port. Most switches, in the default configuration, need only one side of a connection to announce themselves as a trunk; then the switch automatically trunks all available VLANs over the switch port. This results in the attacker seeing all traffic across all VLANs.

The second way an attacker can hop VLANs is by using double tagging. With double tagging, the attacker inserts a second 802.1q tag in front of the existing 802.1q tag. This relies on the switch stripping off only the first 802.1q tag and leaving itself vulnerable to the second tag. This is not as common a method of VLAN hopping as using trunking.

To ensure you do not fall foul of a VLAN hopping attack, you must ensure that all your user ports are assigned as access mode ports. Any unused ports should be disabled and set as access mode ports by default.

To set a switch port to access mode, use the following configuration command from interface configuration mode:

   Switch(config-if)# switchport mode access

By entering this command at the interface level, you switch the port into access mode; this port can never become a trunk port. It is a good practice to get into to ensure that all ports are configured in the correct mode. This should form part of your deployment strategy for all access layer switches in use within your organization.

When configuring a trunk port, the native VLAN need to be set to a unique VLAN, which is not routable or used elsewhere. To set a native VLAN on a trunk port, use the following configuration command from interface configuration mode:

   Switch(config-if)#    switchport trunk native vlan {number}
4. MAC Spoofing | Next Section Previous Section